Suspected Iranian hackers pose as ransomware operators to target Israeli organizations

Certain Iran-linked hacking groups are increasingly willing to use tactics associated with financially motivated criminals, researchers say.

Ever since a 2012 hack that disabled tens of thousands of computers at oil giant Saudi Aramco, suspected Iranian operatives have been known to regularly use data-wiping hacks against organizations throughout the Middle East.

Now, one such possible group has been posing as ransomware operators in an effort to conceal the origin of a series of data-wiping hacks against Israeli organizations, according to private-sector investigators. The hackers are demanding extortion fees even when the code they deploy deletes data rather than unlocks it.

The findings, published Tuesday by security firm SentinelOne, suggest a growing willingness by certain Iran-linked hacking groups to use tactics associated with financially motivated criminals in order to advance their interests.

“Deploying ransomware is a disruptive act that provides deniability, allowing the attackers to conduct destructive activity without taking the full responsibility of those acts,” said Amitai Ben Shushan Ehrlich, a threat intelligence researcher at SentinelOne.


SentinelOne attributed the hacks with “medium confidence” to a group “affiliated with Iran” that it is calling Agrius. The researchers cited, among other evidence, the group’s use of servers that have been linked to Iranian internet domains and malicious code from the campaign that was uploaded from Iran and other Middle Eastern countries.

The research follows other evidence that suspected Iranian government organizations have been increasingly willing to dabble in ransomware. Recently leaked documents suggest Iran’s Islamic Revolutionary Guard Corps has been involved in a ransomware campaign through a contracting company, according to threat intelligence firm Flashpoint.

The Iranian government regularly denies involvement in cyberattacks. The Iranian Mission to the United Nations did not respond to a request for a comment on the research.

It wouldn’t be the first time that a state allegedly used a wiper that posed as ransomware. In 2017, the NotPetya malicious software spread to dozens of countries, causing billions of dollars in losses to the pharmaceutical, shipping and other industries. The U. S. and U.K. governments blamed Russia for the malicious activity.

The hacks tracked by SentinelOne have targeted unnamed Israeli organizations for over a year and followed a pattern. Early on in the campaign, the attackers deployed a data “wiper” designed to delete files on a network and make it difficult for the victims to rebuild their systems, according to SentinelOne.


In later hacks, the operators turned the wiper into a “fully functional ransomware” that in one case was used against a government-owned maritime facility in the United Arab Emirates, the researchers said.

The research comes at a time when evidence of hacking operations that Iran and Israel have been conducting against each other is increasingly coming into public view. Suspected Iranian hackers impersonated a well-known Israeli physicist as part of a campaign to break into the email accounts of some two-dozen medical researchers in Israel and the U.S., security firm Proofpoint said in March.

Ohad Zaidenberg, senior cyber intelligence researcher at Israeli firm ClearSky, said that suspected Iranian hackers have carried out multiple influence operations focused on Israeli organizations in recent months. That has included leaking data stolen from Israeli firms online, Zaidenberg said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts